Morgan, a popular HTTP request logger middleware for Node.js, saw a minor version update from 1.2.2 to 1.2.3. Both versions, licensed under MIT, are designed to simplify logging HTTP requests in your applications. Examining the changes reveals subtle but important updates for developers.
A key difference lies in the dependencies. Version 1.2.2 relies on the finished package (version ~1.2.2), while version 1.2.3 replaces it with on-finished (version 2.1.0). This suggests a focus on improved and more reliable request completion detection, vital for accurate logging. Developers upgrading should be aware of this dependency swap, although the impact on basic usage is likely minimal.
Both versions share common dependencies like depd, bytes, and basic-auth, indicating core functionality remains consistent. The developer tooling, including mocha, should, istanbul, and supertest, remains unchanged between the two versions allowing developers to execute the same quality assurance tests on both versions.
While both versions are authored by Jonathan Ong, the repository URL in version 1.2.3 uses "https" indicating upgraded SSL safety for fetching, while in version 1.2.2 it used "git". The release dates reflect the update, with version 1.2.3 published on August 17, 2014, after version 1.2.2 on July 27, 2014. The upgrade primarily addresses internal improvements related to request handling, meaning existing Morgan implementations may benefit from the enhanced reliability of on-finished without significant code modifications, representing a low-risk upgrade for most users.
All the vulnerabilities related to the version 1.2.3 of the package
Code Injection in morgan
Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.
Update to version 1.9.1 or later.
